The very long story on how I setup LDAP authentication for my samba shares with ACLs on TrueNAS
Disclaimer: This is not a tutorial, just a lot of notes about how I setup SMB shares with LDAP auth on TrueNAS
So with my new NAS I thought it might be nice to do things properly and have a centralized user system for all the other apps that I have.
First thing that comes to mind is an AD there are a few issues with that:
Next I found FreeIPA which is pretty cool, and I probably could get it to work now but when I started last week I could not get it to work with the smb shares. This is one thing I might go back to and try again
So next I went to town and installed OpenLDAP this was the easy part this tutorial pretty much explains it all https://computingforgeeks.com/install-and-configure-openldap-server-ubuntu/ . The main things are:
So I don't know why it's need but somehow doesn't work without.
As I'm trying to set up a proper network, I didn't want to just generate certificates on the LDAP container and transfer them to machines on the network afterwards.
So I launched XCA and created a new DB, created a CA certificate/pkey combo and an TLS certificate/pkey for the LDAP serverI then put the CA certificate and LDAP TLS certificate under /etc/ssl/certs/ and the LDAP TLS private key under /etc/ssl/private/
Then followed this tutorial https://computingforgeeks.com/secure-ldap-server-with-ssl-tls-on-ubuntu/ skipping the part about generating the certificates (start at step 2) and using the proper paths.
I also added the certificates in **every **config file possible, added the ldaps:/// service in /etc/default/slapd
And it worked, yay
Adding LDAP auth was really easy, just pop in the hostname, base and bind DNs (+ the password) and that was itAt this point, I had a test account on my LDAP server and was able to ssh to TrueNAS with this user
That's the tricky part, as there is so little documentation / forum post that you might as well say that there is none
After many hours of searching, I found this note in the truenas documentation:
Again, doing the smbldap-tools is the tricky part. The Ubuntu tutorial is pretty good (https://guide.ubuntu-fr.org/server/samba-ldap.html) a few things were different tho:
The command smbldap-populate should work without any issues:Then using an LDAP browser you should see the root and nobody users in the people OUs:The most important part is the samba attributes, if they aren't there something is messed up
It's actually really easy, you just' can't do it remotely in order to populate the samba fields:
smbldap-useradd -a -d /mnt/main/home/my_user -N my_user -P -B 0 -s /bin/bash my_user
Actually, using smbclient with a user in the LDAP does not workTurns out it didn't even find the userI thought that TrueNAS would automatically configure samba to use ldap what a naive mistake why the hell would something work when you activate it...
So after search for I while I figured out that you can either have local login or ldap login fine I guess but not ideal if the LDAP server fails.
To configure samba, I wrote this in the auxiliary parameters of the SMB service settings:
passdb backend = ldapsam:ldap://192.168.1.52 ldap admin dn = cn=admin,dc=lan,dc=xxxxxx,dc=fr ldap group suffix = ou=groups ldap machine suffix = ou=machines ldap passwd sync = yes ldap suffix = dc=lan,dc=xxxxxx,dc=fr ldap ssl = no ldap user suffix = ou=people idmap config * : range = 10000-39999 ldapsam:trusted = yes idmap config * : backend = tdb
This translates to this full config
That was not the end tho because now using smbclient printed out this error:After starting smbd manually once again, this was the actual error:
The primary group domain sid(S-1-5-21-1836219694-1107345289-1677364427-513) does not match the domain sid(S-1-5-21-3359593988-3909439102-1203953793) for david(S-1-5-21-3359593988-3909439102-1203953793-10004)
When I think about it, the domain SID is clearly wrong, and it's using the SID from the FLUFFY domain instead of the actual one, so I got the sid for it and modified every ldap entry (groups included) by replacing
S-1-5-21-3359593988-3909439102-1203953793 (fluffy) to
S-1-5-21-1836219694-1107345289-1677364427 (which is the value that worked for me).
Then as a good measure I also modified the SID= in the /etc/smbldap-tools/smbldap.conf file
Next came a lof of joy:It actually worked and sure enough it mounted just fine
So right now I have two shares, the home one and the media one (containing photos and videos, probably audio at some point)
To start, I created a few groups with smbldap-groupadd and reorganized them.Then I edited all the ACLs on TrueNAS to look like this:
User: root Group: Gringotts User ACLs: @group ALLOW Traverse @owner ALLOW Full
User: root Group: Gringotts User ACLs: @group ALLOW Read @owner ALLOW Full
User: root Group: Gringotts User ACLs: @owner ALLOW Full "Gringotts Photo Read" ALLOW Read "Gringotts Photo Write" ALLOW Full
User: root Group: Gringotts User ACLs: @owner ALLOW Full "Gringotts Video Read" ALLOW Read "Gringotts Video Write" ALLOW Full
These ACLs only allow access to members of the "Gringotts User" group to the shares and granularly the Read/Write permissions for the video and photo dataset
**Note: **I did have to restart smbd on TrueNAS manually to update the permissions
I'm very happy on how it turned out, the LDAP is pretty easy to manage and sync-up pretty fast. There are a few things that could be better / will do next:
Main resources / websites used for this setup:
Want to chat about this article? Just post a message down here. Chat is powered by giscus and all discussions can be found here: TheStaticTurtle/blog-comments